php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #66462
Patch Opcache-password.patch revision 2014-01-10 23:38 UTC by Terry at ellisons dot org dot uk

Patch Opcache-password.patch for opcache Bug #66462

Patch version 2014-01-10 23:38 UTC

Return to Bug #66462 | Download this patch
Patch Revisions:

Developer: Terry@ellisons.org.uk

--- a/zend_accelerator_module.c
+++ b/zend_accelerator_module.c
@@ -35,6 +35,7 @@
 #endif
 #include "ext/standard/info.h"
 #include "ext/standard/php_filestat.h"
+#include "ext/standard/md5.h"
 
 #define STRING_NOT_NULL(s) (NULL == (s)?"":s)
 #define MIN_ACCEL_FILES 200
@@ -48,6 +49,10 @@ static void (*orig_is_readable)(INTERNAL_FUNCTION_PARAMETERS) = NULL;
 ZEND_BEGIN_ARG_INFO(arginfo_opcache_none, 0)
 ZEND_END_ARG_INFO()
 
+ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_enable_api, 0, 0, 1)
+	ZEND_ARG_INFO(0, password)
+ZEND_END_ARG_INFO()
+
 ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_get_status, 0, 0, 0)
 	ZEND_ARG_INFO(0, fetch_scripts)
 ZEND_END_ARG_INFO()
@@ -62,6 +67,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_invalidate, 0, 0, 1)
 ZEND_END_ARG_INFO()
 
 /* User functions */
+static ZEND_FUNCTION(opcache_enable_api);
 static ZEND_FUNCTION(opcache_reset);
 static ZEND_FUNCTION(opcache_invalidate);
 
@@ -72,6 +78,7 @@ static ZEND_FUNCTION(opcache_get_configuration);
 
 static zend_function_entry accel_functions[] = {
 	/* User functions */
+	ZEND_FE(opcache_enable_api,				arginfo_opcache_compile_file)
 	ZEND_FE(opcache_reset,					arginfo_opcache_none)
 	ZEND_FE(opcache_invalidate,				arginfo_opcache_invalidate)
 	ZEND_FE(opcache_compile_file,			arginfo_opcache_compile_file)
@@ -83,6 +90,11 @@ static zend_function_entry accel_functions[] = {
 
 static int validate_api_restriction(TSRMLS_D)
 {
+	if (!ZCG(accel_directives).api_enabled) {
+		zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted by \"api_password\" configuration directive");
+		return 0;
+	}
+
 	if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
 		int len = strlen(ZCG(accel_directives).restrict_api);
 
@@ -278,6 +328,7 @@ ZEND_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("opcache.enable_cli"             , "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.enable_cli,                zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.error_log"                , ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.error_log,                 zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.restrict_api"             , ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.restrict_api,              zend_accel_globals, accel_globals)
+	STD_PHP_INI_ENTRY("opcache.api_password"             , ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.api_password,              zend_accel_globals, accel_globals)
 
 #ifdef ZEND_WIN32
 	STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM,	OnUpdateString,	                             accel_directives.mmap_base,                 zend_accel_globals, accel_globals)
@@ -675,6 +686,47 @@ static ZEND_FUNCTION(opcache_get_configuration)
 	add_assoc_zval(return_value, "blacklist", blacklist);
 }
 
+/* {{{ proto bool opcache_enable_api(string password)
+   Enable use of opcache API if opcache.enable_api is defined */
+static ZEND_FUNCTION(opcache_enable_api)
+{
+	char *password;
+	int password_len;
+	char md5str[33];
+	PHP_MD5_CTX context;
+	unsigned char digest[16];
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &password, &password_len) == FAILURE) {
+		return;
+	}
+
+	if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
+		RETURN_FALSE;
+	}
+
+	/* Copy of PHP_NAMED_FUNCTION(php_if_md5) using public API in ext/standard/md5.h */
+	if (!ZCG(accel_directives).api_enabled && strlen(ZCG(accel_directives).api_password) == 32) {
+		md5str[0] = '\0';
+		PHP_MD5Init(&context);
+		PHP_MD5Update(&context, password, password_len);
+		PHP_MD5Final(digest, &context);
+		make_digest(md5str, digest);
+		if (memcmp(md5str, ZCG(accel_directives).api_password, 32)) { 
+			zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " Invalid API enable password");
+			RETURN_FALSE;
+		} else {
+			ZCG(accel_directives).api_enabled = 1;
+		}
+	}
+
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+	RETURN_TRUE;
+
+}
+
+/* }}} */
 /* {{{ proto void accelerator_reset()
    Request that the contents of the opcode cache to be reset */
 static ZEND_FUNCTION(opcache_reset)
--- a/ZendAccelerator.c
+++ b/ZendAccelerator.c
@@ -2167,6 +2167,9 @@ static void accel_activate(void)
 		}
 	}
 
+	/* The API is enabled by default if opcache.api_password == "" */
+	ZCG(accel_directives).api_enabled = (!ZCG(accel_directives).api_password || !*ZCG(accel_directives).api_password);
+
 	ZCG(cwd) = NULL;
 
 	SHM_PROTECT();
--- a/README
+++ b/README
@@ -213,6 +213,12 @@ opcache.restrict_api (default "")
 	Allows calling OPcache API functions only from PHP scripts which path is
 	started from specified string. The default "" means no restriction.
 
+opcache.api_password (default "")
+	calling OPcache API functions only from PHP scripts which first
+	the API by calling opcache_enable_api("password"). This parameter
+	is set to the MD5 of the required password.  Note that if the 
+	opcache.restrict_api is also set then both tests are applied. 
+
 opcache.mmap_base
 	Mapping base of shared memory segments (for Windows only). All the PHP
 	processes have to map shared memory into the same address space. This

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jan 28 15:01:24 2021 UTC